Bug 1248504 (CVE-2015-0851)

Summary: CVE-2015-0851 xmltooling: incorrect processing of well-formed but invalid XML
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, asantos, aszczucz, bdawidow, bruno, cdewolf, chazlett, dandread, darran.lofthouse, dehort, dhorton, epp-bugs, etirelli, felias, guido.grazioli, gvarsami, hfnukal, jason.greene, jawilson, jboss-set, jcoleman, jdg-bugs, jolee, jpallich, jshepherd, kconner, ldimaggi, lgao, lpetrovi, mbaluch, mweiler, mwinkler, myarboro, nwallace, pavelp, pgier, pslavice, rhq-maint, rrajasek, rsvoboda, rwagner, rzhang, soa-p-jira, spinder, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-03 03:55:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1248506    
Bug Blocks: 1248508    

Description Martin Prpič 2015-07-30 12:26:12 UTC 
A flaw was found in the way the XMLTooling library parsed certain well-formed but schema-invalid XML inputs. An application using the XMLTooling library could crash when parsing crafted XML inputs.

Additional information:

http://shibboleth.net/community/advisories/secadv_20150721.txt

Upstream patch:

https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900
Comment 1 Martin Prpič 2015-07-30 12:29:08 UTC 
Created xmltooling tracking bugs for this issue:

Affects: fedora-all [bug 1248506]